StealthWatch FlowCollector

Overview
Collect and analyze massive amounts of network data to obtain comprehensive visibility for early threat detection.

The StealthWatch FlowCollector collects and analyzes vast amounts of valuable data from existing network infrastructure to provide a complete, cost-effective picture of everything happening in an enterprise environment. Sophisticated behavioral analytics and advanced security context enable early detection and enhanced protection for a wide range of threats including APTs, insider threats, DDoS and zero-day malware. The FlowCollector uses flow-based anomaly detection to zoom in on any unusual behavior and immediately sends an alarm with actionable intelligence that allows personnel to take quick, decisive steps to mitigate any issues. Operators can use the StealthWatch System’s unique drill-down features to identify and isolate the root cause within seconds, enhancing operational efficiency, decreasing costs and dramatically reducing the time from problem onset to resolution.

Leverages Existing Infrastructure for Comprehensive, Cost-Effective Visibility

By drawing upon NetFlow, IPFIX and other types of flow data from existing infrastructure, the FlowCollector provides a cost-effective means of achieving comprehensive, end-to-end visibility across the entire enterprise network.  Vast amounts of data are collected and analyzed from routers, switches, firewalls and other network infrastructure devices to provide a complete picture of network activity.  No additional hardware, sensor technology, inline device or software agent is required.  Essentially, the network is your sensor, detecting and alerting on anomalous behavior 24/7.  Stitched, duplicated, 1:1 flows further streamline network and security monitoring.  In addition to detecting threats in real time, the StealthWatch FlowCollector can store months or even years of data, creating a complete audit trail that can be used to improve forensic investigations and compliance initiatives.  

Detects Lateral Movement Not Seen by Other Technologies

While most security technologies focus on "bad" communications going to and from their network to the outside, the StealthWatch System protects the network from the inside out, also detecting suspicious communications within the network itself.  This monitoring of lateral, east-west traffic is critical for identifying insider threats, as well as tracking the spread of external attacks throughout the network to determine who has been infected.  

Provides Massive Scalability for Large, High-Speed Environments

A FlowCollector exists for any organization to monitor and protect every part of the network that is IP-reachable, regardless of size.  With unmatched scalability, a single FlowCollector can store and analyze data from as many as 4,000 flow sources at up to 240,000 flows per second (fps).  When fully scaled, the StealthWatch System can process data from as many as 50.000 flow sources at up to 6 million fps.  Easy upgrade paths enable an organization to start small and expand the system as capacity needs change over time.  The FlowCollector Virtual Edition (VE) is designed to perform the same function as the appliance editions, but in a VMware environment.  The FlowCollector VE also scales dynamically according to the resources allocated to it.

Features Network Security
Automatic baselining of all IP traffic X X
Automatic anomaly detection in traffic/host behavior X X
Layer 7 anomaly detection* X X
Massive scalability X X
Flexible deployment options, including virtual X X
NAT stitching X X
Peer-to-Peer (P2P) file sharing detection X X
Host and service profiling X X
Index-based prioritization technology X X
OS fingerprinting** X X
Support for application-aware flows such as NBAR* X X
Support for custom applications X X
Closest interface determination and tracking X X
Deduplication of flows X X
Virtual environment monitoring* X X
Host Group tracking and reporting X X
Router interface tracking and reporting X  
Bandwidth accounting and reporting X  
Packet-level performance metrics* X  
QoS (DSCP) monitoring X  
Interface utilization alarming X  
Unauthorized host access detection* X X
Unauthorized Web server detection X X
Misconfigured firewalls detection* X X
Combined internal and external monitoring X X
Full flow logging   X
Worm detection   X
Botnet detection*   X
DoS/DDoS detection (SYN, ICMP, or UDP flood)   X
Fragmentation attack detection**   X
Network scanning and reconnaissance detection   X
Large file transfer detection   X
Rogue server detection   X
*Limited functionality with sFlow
**Limited functionality with NetFlow

 

Model Flows Per Second Routers Description
StealthWatch FC 1000 Up to 30,000 Up to 500 This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks.
StealthWatch FC 2000 Up to 60,000 Up to 1000 The FC 2000 for NetFlow is a powerhouse NetFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large NetFlow or IPFIX environments.
StealthWatch FC 4000 Up to 120,000 Up to 2000 The FC 4000 is massively scalable to process very high volumes of flow data. It also features extensible storage capabilities of up to 4 TB.
Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for NetFlow appliance is dependent on multiple factors including flows per second, physical location of NetFlow-enabled routers and quantity of NetFlow-enabled devices connected.

 

Model Flows Per Second Description
StealthWatch FC 1000 for sFlow Up to 30,000 This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks.
StealthWatch FC 2000 for sFlow Up to 60,000 The FC 2000 for sFlow is a powerhouse sFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large sFlow environments.
StealthWatch FC 4000 for sFlow Up to 120,000 The FC 4000 for sFlow is massively scalable to process very high volumes of flow data. It also features extensible storage capabilities of up to 4 TB.
Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for sFlow appliance is dependent on multiple factors including samples per second, physical locations of sFlow-enabled devices and quantity of flow-enabled devices connected.

 

  FC 1000* FC 2000* FC 4000*
Maximum
Flows Per Second
Up to 30,000** fps Up to 60,000** fps Up to 120,000** fps
Maximum Exporters 500 1,000 2,000
Network Management Port:
1 – 10/100/1000 Copper

Monitoring/Listening Ports:
3

Management Port:
1 – 10/100/1000 Copper

Monitoring/Listening Ports:
3

Management Port:
1 - 10/100/1000 Copper

Monitoring/Listening Ports:
3

Flow Storage 1 TB
(RAID-6 Redundant)
2 TB
(RAID-6 Redundant)
4 TB 
(RAID 6-Redundant) 
Hardware Platform R620 R720
Hardware Generation 12G
Rack Units (Mountable) 1U 1U 2U
Power Redundant 750W
AC, 50/60 Hz
Auto Ranging
(100V to 240V)
Redundant 750W
AC, 50/60 Hz
Auto Ranging
(100V to 240V)
Redundant 750W AC, 50/60 Hz
Auto Ranging
(100V to 240V ) 
Heat Dissipation 2,891 BTU per hour maximum 2,891 BTU per hour maximum 2,891 BTU per hour maximum
Dimensions

Height:
1.68 in. (4.3 cm)

Width:
17.08 in. (43.4 cm)

Depth:
27.25 in. (69.2 cm)

Height:
1.68 in. (4.3 cm)

Width:
17.08 in. (43.4 cm)

Depth:
27.25 in. (69.2 cm)

Height: 
3.4 in. (8.7 cm)

Width: 
17.5 in. (44.4 cm)

Depth: 
29.2 in. (74.1 cm)

Weight 41 lb (18.6 kg) 41 lb (18.6 kg) 64.3 lb (29.2 kg)
Rails Sliding Ready Rails with Cable Management Arm
Regulatory
  • FCC (U.S. only) Class A
  • DOC (Canada) Class A
  • CE Mark (EN55022 Class A, EN55024, EN61000-3-2, EN 61000-3-3, EN60950)
  • VCCI Class A
  • UL 1950
  • CSA 950

Please call for a complete list.

* Specs for StealthWatch v6.5

**The maximum fps can change depending on varying network conditions. Please contact a Lancope representative for details.

 

Flows Per Second Exporters Hosts Reserved Memory Reserved CPUs
Up to 4,500 Up to 250 Up to 125,000 4 GB 2
Up to 15,000 Up to 500 Up to 250,000 8 GB 3
Up to 22,500 Up to 1,000 Up to 500,000 16 GB 4
Up to 30,000 Up to 1,000 Up to 500,000 32 GB 5
Note: More details can be found in the StealthWatch System Capacities & Sizing Guidelines. Contact Sales or a Lancope partner for the document.